Friday morning, CBS News's Sharyl Attkisson reported that Teresa Fryer, the chief information security officer for the Centers for Medicare and Medicaid Services (CMS), "told Congress there have been two, serious high-risk findings since the website’s launch." Further, Fryer "told congressional interviewers that she explicitly recommended denial of the website’s Authority to Operate (ATO)" in late September, "but was overruled by her superiors." Fryer's statements make sworn assertions by HHS Secretary Kathleen Sebelius that "no senior official reporting to me ever advised me that we should delay" at best difficult to believe.
While the press properly devotes attention to serious security breaches at leading retailer Target, the arguably more serious problems at HealthCare.gov continue to get scant attention. Searches on Fryer's name (not in quotes) at the Associated Press, the New York Times, and Politico all return nothing relevant. Excerpts from Attkisson's startling, read-the-whole-thing report follow the jump (bolds are mine):
High security risk found after HealthCare.gov launch
... Teresa Fryer, the chief information security officer for the Centers for Medicare and Medicaid Services (CMS), revealed the findings when she was interviewed Tuesday behind closed doors by House Oversight Committee officials. The security risks were not previously disclosed to members of Congress or the public. Obama administration officials have firmly insisted there’s no reason for any concern regarding the website’s security.
... In another security bombshell, Fryer told congressional interviewers that she explicitly recommended denial of the website’s Authority to Operate (ATO), but was overruled by her superiors. The website was rolled out amid warnings Fryer said she gave both verbally and in a briefing that disclosed “high risks” and possible exposure to “attacks”.Fryer also said that she refused to put her name on a letter recommending a temporary ATO be granted for six months while the issues were sorted out.
"My recommendation was a denial of ATO," Fryer told Democrats and Republicans who sat in on the day-long interview. According to Fryer, she first recommended denying the ATO to CMS chief information officer Tony Trenkle based on the many outstanding security concerns after pre-launch testing.
"I had discussions with him on this and told him that my evaluation of this was a high risk," Fryer told the committee. Trenkle retired from his CMS job on Nov. 13. He has not responded to CBS News interview requests.
... On Oct. 30, Rep. Gus Bilirakis, R-Fla., asked Health and Human Services (HHS) Secretary Kathleen Sebelius in testimony to Congress whether "any senior department officials" advised delaying the rollout of HealthCare.gov."I can tell you that no senior official reporting to me ever advised me that we should delay," Sebelius answered. "We have testing that did not advise a delay. So not -- not to my knowledge."But Fryer says she briefed Sebelius' top information officers at HHS in a teleconference on Sept. 20, recommending the website's launch be delayed for security reasons. Fryer testified that the call included HealthCare.gov's chief project manager Henry Chao, HHS chief information security officer Kevin Charest and HHS Deputy Assistant Secretary for Information Technology Officer Frank Baitman. Fryer says she learned three days later that her advice was not going to be followed.
... House Oversight Committee chairman Rep. Darrell Issa, R-Calif., who personally interviewed Fryer, told CBS News that there are potential risks to every facet of the system tied into HealthCare.gov and the public information stored within.
Other IT security officers have also asserted in congressional testimony that no one concerned about the security of their personal information should use HealthCare.gov. The press has also virtually ignored them.
But apparently, even though ABC News also has a Friday morning report by Devin Dwyer containing much of the same information as Attkisson's, none of this appears to fit the definition of "news" at the AP, Politico, or the New York Times.
Their negligence is only exceeded by the Obama administration's decision to launch the obviously not secure HealthCare.gov in the first place.Cross-posted at BizzyBlog.com.